-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDKSA-2007:085 http://www.mandriva.com/security/ _______________________________________________________________________ Package : freeradius Date : April 16, 2007 Affected: 2007.0, 2007.1, Corporate 4.0 _______________________________________________________________________ Problem Description: Memory leak in freeRADIUS 1.1.5 and earlier allows remote attackers to cause a denial of service (memory consumption) via a large number of EAP-TTLS tunnel connections using malformed Diameter format attributes, which causes the authentication request to be rejected but does not reclaim VALUE_PAIR data structures. Updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2028 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.0: 485265e479ed47e03c1966f773c43850 2007.0/i586/freeradius-1.1.2-2.1mdv2007.0.i586.rpm a04d690ae7133426eb697fed54f56199 2007.0/i586/libfreeradius1-1.1.2-2.1mdv2007.0.i586.rpm 5595ff7619d10b67a436712e5a76fc78 2007.0/i586/libfreeradius1-devel-1.1.2-2.1mdv2007.0.i586.rpm 8dd97ce0b5b9ce5a198a1cfe1db0ebb5 2007.0/i586/libfreeradius1-krb5-1.1.2-2.1mdv2007.0.i586.rpm 092420b0c0b79c7d044cb54856f194d4 2007.0/i586/libfreeradius1-ldap-1.1.2-2.1mdv2007.0.i586.rpm 45a1ddd16609babbdda3f39ca9af8c39 2007.0/i586/libfreeradius1-mysql-1.1.2-2.1mdv2007.0.i586.rpm 8eaa8251f9ef2db2163da446759e338e 2007.0/i586/libfreeradius1-postgresql-1.1.2-2.1mdv2007.0.i586.rpm 3241acf858db1afa1250afe6e1f500dc 2007.0/i586/libfreeradius1-unixODBC-1.1.2-2.1mdv2007.0.i586.rpm c7fc04dcb8df275a27d37541353bc0b8 2007.0/SRPMS/freeradius-1.1.2-2.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: 95758b84f15d847e5df61d9479440700 2007.0/x86_64/freeradius-1.1.2-2.1mdv2007.0.x86_64.rpm baded8fb60d1c41b02a790afac5c6337 2007.0/x86_64/lib64freeradius1-1.1.2-2.1mdv2007.0.x86_64.rpm d9c95ac32f15019081f2ef6343aaf095 2007.0/x86_64/lib64freeradius1-devel-1.1.2-2.1mdv2007.0.x86_64.rpm 04d950d8db9cd92053fdf512727297cd 2007.0/x86_64/lib64freeradius1-krb5-1.1.2-2.1mdv2007.0.x86_64.rpm 2ca93232b0934ec6e5ef121e32fc487b 2007.0/x86_64/lib64freeradius1-ldap-1.1.2-2.1mdv2007.0.x86_64.rpm cb61b2079cacc4b72ab0c7df9a4e463a 2007.0/x86_64/lib64freeradius1-mysql-1.1.2-2.1mdv2007.0.x86_64.rpm 37edc72f39c8b05ce9383e6b5810b288 2007.0/x86_64/lib64freeradius1-postgresql-1.1.2-2.1mdv2007.0.x86_64.rpm 155dbe7aed46442bdcb1a0cab0d61582 2007.0/x86_64/lib64freeradius1-unixODBC-1.1.2-2.1mdv2007.0.x86_64.rpm c7fc04dcb8df275a27d37541353bc0b8 2007.0/SRPMS/freeradius-1.1.2-2.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 7f655754289547a87da54e7f9d56d9c1 2007.1/i586/freeradius-1.1.2-5.1mdv2007.1.i586.rpm 0db64e8f6535adb19f23d22cef6dab39 2007.1/i586/libfreeradius1-1.1.2-5.1mdv2007.1.i586.rpm 9a61e66884c6926e22039e4290b75800 2007.1/i586/libfreeradius1-devel-1.1.2-5.1mdv2007.1.i586.rpm 7db0ee6b971766dc724f31ed185c807f 2007.1/i586/libfreeradius1-krb5-1.1.2-5.1mdv2007.1.i586.rpm 1a9e9007f3f28805b6bf4d9486d4a8e7 2007.1/i586/libfreeradius1-ldap-1.1.2-5.1mdv2007.1.i586.rpm 39a710e6ef266fa3d04030e2f02405e7 2007.1/i586/libfreeradius1-mysql-1.1.2-5.1mdv2007.1.i586.rpm 862bde1f3db0207bc133f49b7d7c7907 2007.1/i586/libfreeradius1-postgresql-1.1.2-5.1mdv2007.1.i586.rpm c1872069cc1ccac4f2468635e575d39e 2007.1/i586/libfreeradius1-unixODBC-1.1.2-5.1mdv2007.1.i586.rpm 9a9a7cf043f8486a1b148f2eb1be1a30 2007.1/SRPMS/freeradius-1.1.2-5.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 5ad448a832f4a4ed1227a33433612df9 2007.1/x86_64/freeradius-1.1.2-5.1mdv2007.1.x86_64.rpm d675f6d01f97c0a1f603f58026e0dc1f 2007.1/x86_64/lib64freeradius1-1.1.2-5.1mdv2007.1.x86_64.rpm 4c229c337bb4fd50462bae9963911fc6 2007.1/x86_64/lib64freeradius1-devel-1.1.2-5.1mdv2007.1.x86_64.rpm b6de623842506793d39bb488a5bf062d 2007.1/x86_64/lib64freeradius1-krb5-1.1.2-5.1mdv2007.1.x86_64.rpm 9277ae9c7e972bc3a6a539b8aa787d8e 2007.1/x86_64/lib64freeradius1-ldap-1.1.2-5.1mdv2007.1.x86_64.rpm 2ee400549d37447daa7377e38e6804ef 2007.1/x86_64/lib64freeradius1-mysql-1.1.2-5.1mdv2007.1.x86_64.rpm 19c236506fd00c8939e564625d987617 2007.1/x86_64/lib64freeradius1-postgresql-1.1.2-5.1mdv2007.1.x86_64.rpm 58a862d856c75c61cc28cc914f355f55 2007.1/x86_64/lib64freeradius1-unixODBC-1.1.2-5.1mdv2007.1.x86_64.rpm 9a9a7cf043f8486a1b148f2eb1be1a30 2007.1/SRPMS/freeradius-1.1.2-5.1mdv2007.1.src.rpm Corporate 4.0: c4ceeeacc64b27a3810d7b9e391052c0 corporate/4.0/i586/freeradius-1.0.4-2.3.20060mlcs4.i586.rpm 63232cd692916c816c814f39de733d75 corporate/4.0/i586/libfreeradius1-1.0.4-2.3.20060mlcs4.i586.rpm aab0141fdb684b856871faa3a281e8b1 corporate/4.0/i586/libfreeradius1-devel-1.0.4-2.3.20060mlcs4.i586.rpm db28ccacac6df2430c159b372356cc8d corporate/4.0/i586/libfreeradius1-krb5-1.0.4-2.3.20060mlcs4.i586.rpm 778bdbd5643f737652d697d2b81b185e corporate/4.0/i586/libfreeradius1-ldap-1.0.4-2.3.20060mlcs4.i586.rpm cc3d3c9e06f9484108440498560e22d3 corporate/4.0/i586/libfreeradius1-mysql-1.0.4-2.3.20060mlcs4.i586.rpm ec2d5a756c26a683b06b84d3f91cd573 corporate/4.0/i586/libfreeradius1-postgresql-1.0.4-2.3.20060mlcs4.i586.rpm 9564641192642abf3690e374e262ef09 corporate/4.0/i586/libfreeradius1-unixODBC-1.0.4-2.3.20060mlcs4.i586.rpm b473a94d7dff1a06e2db7cc3da187aa5 corporate/4.0/SRPMS/freeradius-1.0.4-2.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: c1600875ddab2ce7d31d84060668e5b8 corporate/4.0/x86_64/freeradius-1.0.4-2.3.20060mlcs4.x86_64.rpm 69a84b748264aad6555d0d3d92789f32 corporate/4.0/x86_64/lib64freeradius1-1.0.4-2.3.20060mlcs4.x86_64.rpm 7b6dc0a1121b2f1d84d57e38c577c2e8 corporate/4.0/x86_64/lib64freeradius1-devel-1.0.4-2.3.20060mlcs4.x86_64.rpm b3a479b99a541cca01a920fb35872b33 corporate/4.0/x86_64/lib64freeradius1-krb5-1.0.4-2.3.20060mlcs4.x86_64.rpm b66b96b5897b2fee700cf5a848bb8d92 corporate/4.0/x86_64/lib64freeradius1-ldap-1.0.4-2.3.20060mlcs4.x86_64.rpm b2585acc4c9bfabd832bce4f300b877d corporate/4.0/x86_64/lib64freeradius1-mysql-1.0.4-2.3.20060mlcs4.x86_64.rpm d1f8a534fb8da7f37817fd575ed680d3 corporate/4.0/x86_64/lib64freeradius1-postgresql-1.0.4-2.3.20060mlcs4.x86_64.rpm 4ad7d3c251d17fedf7479edcd818f103 corporate/4.0/x86_64/lib64freeradius1-unixODBC-1.0.4-2.3.20060mlcs4.x86_64.rpm b473a94d7dff1a06e2db7cc3da187aa5 corporate/4.0/SRPMS/freeradius-1.0.4-2.3.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFGI8qUmqjQ0CJFipgRAvv9AKDk8ohKdmfc9DibRIWXqx4qbFcWtwCg498c tfsPJ2gb6QZPAJRgcLfunZ4= =czGA -----END PGP SIGNATURE-----